1

I want to pass property values assigned in an xml file to a Spring expression (an SpEL) in Java. Can you point me out how to achieve that? To make it clear, I've provided the following example.

example.xml file:

<beans>
    <bean id="user" class="x.y.User">
        <property name="name" value="A"/>
        <property name="userId" value="33"/>

    <bean id="customer" class="x.y.Customer">
        <property name="name" value="B"/>
        <property name="customerId" value="33"/>      
    </bean>   
</beans>

Bear in mind that I have 'User' and 'Customer' model classes.

I want to secure a method called 'edit' by using Pre-Authorize annotation and Spring expressions in the following way.

@PreAuthorize("(#user.userId == #customer.customerId)")    
public Boolean edit(User user, Customer custmer)  {              
    return true; 
}

The question is, how can I pass values of userId and customerId from "example.xml file to the above expression to compare the two values, then to secure the 'edit' method?

Note: I don't want to use permission evaluator. Please point me if it is possible to do it without considering permission evaluator. your support and cooperation will be strongly appreciated!.

user262
  • 198
  • 1
  • 3
  • 13

3 Answers3

1

You can refer to beans references in SpEL expressions using @.

I have changed your example around a little to make it more apparent which part of the SpEL expression is referring to beans and which part is referring to the method arguments. Given the following configuration:

<beans>
    <bean id="userBean" class="x.y.User">
        <property name="name" value="A"/>
        <property name="userId" value="33"/>

    <bean id="customerBean" class="x.y.Customer">
        <property name="name" value="B"/>
        <property name="customerId" value="33"/>      
    </bean>   
</beans>

This method will only be allowed if the User argument has the userId of 33 (this is the value of the userBeans userId property).

@PreAuthorize("#user.userId == @userBean.userId")    
public Boolean edit(User user, Customer custmer)  {              
    return true; 
}

Similarly, you can refer to the Customer with id of customerBean (as defined in my example XML) with the following:

@PreAuthorize("#custmer.userId == @customerBean.userId")    
public Boolean edit(User user, Customer custmer)  {              
    return true; 
}

If you want it to do the same thing with your current XML configuration you can use the following. The point here is that the value after @ should match the name of the bean.

@PreAuthorize("#user.userId == @user.userId")    
public Boolean edit(User user, Customer custmer)  {              
    return true; 
}
Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • 1
    sorry for being let replying to your answer, I was away for a while. Thanks a lot for the detail explanation and for pointing out the @ expression to reference beans. It is really a good point, I didn't see before referencing beans by using @. Its interesting, and am gonna check it. But I want to make clear one thing, the method 'edit' is allowed if the user id and the customer id are equal, not when the user id is 33. I'll post the outcome soon. – user262 Nov 01 '13 at 16:32
  • 1
    it doesn't work. 'edit' method is allowed if userBean's userId and customerBean's customerId are equal. Based on your suggestion it should be written like the following way: @PreAuthorize("@userBean.userId == @customerBean.customerId") public Boolean edit(User user, Customer custmer) { return true; } But it returns the following error: java.lang.IllegalArgumentException: Failed to evaluate expression '(@userBean.userId == @customerBean.customerId)' – user262 Nov 04 '13 at 10:11
  • Please specify when precisely you want to allow access and when you do not. Your current example is not clear if you are wanting to refer to the method arguments or if you want to refer to the beans. – Rob Winch Nov 04 '13 at 22:45
  • I want to refer to the beans, forget about method arguments now. Just consider beans. I tried to clarify it again here: http://stackoverflow.com/questions/19774655/injecting-property-values-from-property-file-or-xml-file-into-preauthorize Check this link, its more clear. Thanks a lot. – user262 Nov 04 '13 at 23:15
1

@Rob, it doesn't work. 'edit' method is allowed if userBean's userId and customerBean's customerId are equal. Based on your suggestion it should be written like the following way: 

@PreAuthorize("@userBean.userId == @customerBean.customerId")    
public Boolean edit(User user, Customer custmer)  {              
    return true; 
}

But it returns the following error: 

java.lang.IllegalArgumentException: Failed to evaluate expression '(@userBean.userId == @customerBean.customerId)'

Any suggestion please?

UPDATE. Change @userBean.userId to @user.userId and @customerBean.customerId to @customer.customerId

rdm
  • 330
  • 1
  • 4
  • 18
user262
  • 198
  • 1
  • 3
  • 13
  • 1
    @rdm Hi rdm, 'user' and 'customer' are not bean names. Do you think that '@user.userId' and '@customer.customerId' inject values from the xml file? Anyway I am going to try it. Thanks! – user262 Nov 04 '13 at 21:12
0

Why do you declare User and Customer as spring bean?

rdm
  • 330
  • 1
  • 4
  • 18
  • 1
    Because the two classes, i.e, User and Customer, my spring beans that has userId and customerId member variables (properties), respectively. In short, I have User.java and Customer.java classes. The question is how to pass values initialized in the xml file into the SpEL expression above in order to secure the 'edit' method. I am going to try Rob's suggestion, and let you know guys about the outcome. Thanks! – user262 Nov 01 '13 at 17:01
  • I've tried with Rob's suggestion, but end up with an exception: java.lang.IllegalArgumentException: Failed to evaluate expression '(@userBean.userId == @customerBean.customerId)'. your suggestion is also appreciated. tnx! – user262 Nov 04 '13 at 10:26
  • Change '@userBean.userId' to '@user.userId' and '@customerBean.customerId' to '@customer.customerId' – rdm Nov 04 '13 at 20:53
  • The same exception: Request processing failed; nested exception is java.lang.IllegalArgumentException: Failed to evaluate expression '(@user.userId == @customer.customerId)' – user262 Nov 04 '13 at 21:37